Description
A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/QuickIndex of the component Parameter Handler. This manipulation of the argument mit_linktype causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the formQuickIndex function of the Tenda CH22 router firmware 1.0.0.1. Manipulating the mit_linktype argument can corrupt the process stack, and based on the nature of the flaw it is inferred that an attacker could execute arbitrary code. This weakness falls under CWE‑119 and CWE‑121. The CVE description indicates the vulnerability can be exploited remotely and that the exploit has been publicly disclosed.

Affected Systems

The flaw affects Tenda CH22 routers running firmware version 1.0.0.1. It is confined to the Parameter Handler component accessed through the /goform/QuickIndex HTTP endpoint. No other firmware versions or products are explicitly listed.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as High severity, and the description states the attack is possible remotely via the HTTP interface. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but if the device is exposed to the internet the risk of exploitation is significant.

Generated by OpenCVE AI on March 31, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest approved firmware update from Tenda to fix the stack overflow
  • If a patch is not yet available, block external access to the /goform/QuickIndex URL with firewall rules or router ACLs
  • Verify the firmware version after the update and ensure the QuickIndex endpoint is not reachable from untrusted networks

Generated by OpenCVE AI on March 31, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ch22
Vendors & Products Tenda ch22

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/QuickIndex of the component Parameter Handler. This manipulation of the argument mit_linktype causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Title Tenda CH22 Parameter QuickIndex formQuickIndex stack-based overflow
First Time appeared Tenda
Tenda ch22 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:ch22_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ch22 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Ch22 Ch22 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T14:04:30.211Z

Reserved: 2026-03-30T13:33:15.737Z

Link: CVE-2026-5156

cve-icon Vulnrichment

Updated: 2026-03-31T14:04:22.679Z

cve-icon NVD

Status : Received

Published: 2026-03-31T00:16:15.303

Modified: 2026-03-31T00:16:15.303

Link: CVE-2026-5156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:47Z

Weaknesses